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Secure data processor with cryptography and tamper detection 



(54) 

(57) The present Invention is embodied in a 
Secured Processing Unit (SPU) chip, a microprocessor 
designed especially for secure data processing. By inte- 
grating keys, encryption/decryption engines and algo- 
rithms in the SPU. the entire security process is 
rendered portable and easily distributed across physical 
boundaries. The invention is based on the orchestration 
of three interrelated systems: (i) detectors, which alert 
the SPU to the existence, and help characterize the 
nature, of a security attack: (ii) filters, which correlate 
the data from the various detectors, weighing the sever- 
ity of the attack against the risk to the SPU's integrity, 
both to Its secret data and to the design itself ; and (iii) 
responses, which are countermeasures, calculated by 
the filters to be most appropriate under the circum- 
stances, to deal with the attack or attacks present. The 
present invention, with wide capability in all three of the 
detectors, filters and responses, allows a great degree 
of flexibility for programming an appropriate level of 
6ecurity/|30licy into an SPU-based application. 
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Description 
1. BACKGROUND. 

[0001 1 This invention relates generally to integrated circuits for electronic l^^^ing ^ysterrs^^ 
ically to the architecture, iinplementation and use of a secure integrated circutt which is capable of effectively preventing 
inspection extraction and/or modification of confidential information stored therein. 

[0002] There are many applications in which information has to be processed and transmitted securely. Fa «amje 
automated teller machines (ATMs) require the secure storage and transmission of an dentrfying On tiiK oortart a 
oassword or PIN number) to prevent unauthorized intruders from accessing a bank customers account. Sinmlarly. pay- 
per-view (PPV) cable and satellite television systems must protect keys which both distingiish authorized from unau- 
thorized subscribers and decrypt encrypted broadcast television signals. . . _ . „ TK-o^ i.^<^«.taH 
[00031 Typically, one or more integrated circuits are used to process the Information electronicany. These '"tegratoJ 
circuit mi thernselves store internal confidential information, such as keys and/or P:°P''f*^]f 
ing and decrypting that information, as well as implement the encryptionydecryption engine. Clearly, there is a need 
for integrated circuits which are capable of preventing an unauthorized person from inspecting, extractng ar>d^or moo- 
ifylng the confidential information processed by such integrated circuits. Furtherjt is ^^""^ ^^^^ ^l^^ 
certain confidential information (e.g.. the keys) and presence other confiden1«l information (e.g.. historical data, such 

as accounting information used in financial transactions) upon detection of intrusion. 

[0004] One problem wHh existing security systems is that the confidential information (^^ys. enciTPton/dec^ 
algorithms, etc.) is. at some point in the process, available to potential intruders in an unencrypted ( deartexl ) fomiin 
a non-secure environment. What is needed is a single secure integrated circuit in which the keys and enayp- 
tion/decryption engine and algorithms can be embodied and protected from intruders. Such an ''fes^^^f ^l*"-^*";^^ 
effectiveh/ensure J«t the information being processed (i.e.. inputs to the chip) ,s not made available off-chip to unau- 
thorized persons except in encrypted form, and would "encapsulate" the encryptionAaecryption P^°«e^°" 
such that the keys and algorithms are protected, particularly whHe In deartext fonn. from a vanety of f^^^^ 
[00051 Existing secure integrated circuits typically contain barriers, detectors, and means for destroying the confiden- 
tial information stored therein when intrusion is detected. An example of a barrier Is the depositon o^ one or more con- 
SSSe iC^ (SeTlying memory cells insWe an integrated circurt. These layers present the infection of the memory 
cSby diagnostic tools such as a scanning electron microscope. An example of a detector and destroying n^eans » a 
pSoto dldor connected to a switching circuit whfoh turns off power to memory cells i-iside « ^"^^ "^^^^f^,^^^ 

upon detection of light. \When power is turned off. the contents of the memory cells, f/^^'"""!^!.^^^ 
nSion.willbelost.Thetheorybehindsuchasecuritymechanismisthatthepholodetertorwillbe«^ 

when the enclosure of the integrated circuit is broken, intentionally or by accident In either event it is often prudent to 

35 destroy the confidential information Stored inside the integrated Circuit. ~ 

[00061 one problem with existing security systems is the "hard^red" nature ol the process of ^esP°"f'"9 ^ potental 
intrusions. Such systems are inherently inflexible because it is very difficult to change the behavior of tje security fea- 
tures once the integrated circuit has been fabricated. The only way to alter the behavior of these securrty features is to 
undertake the expensive and time-consuming task of designing and fabricating a new integrated circuit. 
[0007] Anotherconsequence of a hard-wired architecture is that it is difficult to produce custom s«=u"tyj^tur^ tor 
ow volume applications. This is because tt takes a considerable amount of and "»"«yto design. 
cate an integrated circuit Consequently, it is difficult economically to justify building small quantities of secure inte- 
grated circuits, each customized for a special environment. , ^ . u «t,-.^4»,»«KillK/ 
[00081 There are many situations in which it is desirable to use the same secure integrated circuit yet teve the ability 
to modify the security features in accordance with the requirements of the application and environment For example, if 
the secure integrated circuit is used to process extremety sensitive Informatfon. it wll be prudent to 'mplemerrt a con- 
senmtive security "policy" - e.g.. destroying all the confidential data (e.g.. keys) inside the integrated circurt upon detec- 
Z!t even a sill deviation Som a predetermined state. On the other hand, if the informaton is nrt very s«is*ve and 
it is not convenient to replace the secure integrated cireuH. the security policy could be more lenient - e.g.. action could 
so be taken only when there is a large deviation from the predetermined state. k «oh r™ «f iieyiWe securilv 
[0009] Thus, ft is desirable to have a secure integrated eircuft architecture m which a broad range of flexible security 
policies can be implemented. 

9: SUMMARY QP THF INVENTION. 

[0010] The present invention is embodied in a Secured Processing Unit (SPU) chip, a microprocessor design^ esp^ 
cially for secure data processing. By integrating the keys and the encryptiorVdecryption engine «™'^9onfri"«'" *^ 
SPU the entire security process is rendered portable and is easity distributed to its intended recipients, with complete 
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privacy along the way. This is accomplished by the following SPU-based features: positive identtfication and reliable 
authentication of the card user, message privacy through a robust encryption capability supporting the major cryp o- 
fliaphic standards, secure key exchange, secure storage of private and secret keys, algorithms, certificates or. for 
example, transaction records or biometric data, verifiabllity of data and messages as to their alteration, and secure 
authorization capabilities, including digital signatures. 

[00111 The access card could be seen as a form of electronic wallet, holding personal records, such as one^ driver s 
license, passport, birth certificate, vehicle registration, medical records, social security cards, credit cards, biometnc 
information such as finger- and voiceprints. or even digital cash. ^ . . * k 

[00121 A personal access card contemplated for everyday use should be resilient to the stresses and strains of such 
use i e. going through X-ray machines at airports, the exposure to heat if left in a jacket placed on a radiator, a mistyped 
per^nal identification number (PIN) by a flustered owner, etc. Thus, in such an application, the SPU could be pro- 
grammed with high tolerances to such abuses. A photo detector triggered by X-rays might be cued a few momerrtslater 
to see if the exposure had stopped. Detection of high temperature might need to be coupled to other symptoms of anack 
before defensive action was taken. A PIN number entry could be forgiving for the first two incorrect entries before tem- 
15 Dorary disabling subsequent functions as is the case with many ATMs. 

[00131 For an application like a Tessera Crypto-Card. a secure cryptographic token for the new Defense Messaging 
System for sensitive government information, the system might be programmed to be less forgiving. Handling proce- 
dures for Tessera Card users may prevent the types of common, everyday abuses present in a personal access card. 
Thus, erasure of sensitive information might be an early priority. . ^ 

so [0014] Various encryption schemes have been proposed, such as vrfiere a user creates and authenticates a secure 
digital signature, which is very difficult to forge and thus equally difficuH to repudiate. Because of a lack of portable, per- 
sonal security however, electronic communications based on these schemes have not gained widespread acceptance 
as a means dt conducting many standareJ business transactions. The present invention provides the level of security 
wrfiich makes such electronic corrwnerce practical. Such a system could limH. both for new and existing applications, the 
25 number of fraudulent or otherwise uncollectible transactions. «j »i, « 

[00151 Another possible application is desktop purchasing, a delivery system fbr any type of information product that 
can be contained in electronic memory, such as movies, software or databases. Thus, multimedia-based advertise- 
ments tutorials, demos, documentation and actual products can be shipped to an end user on a single enwypted CD- 
ROM or broadcast though suitable RF or cable channels. Virtually any content represented as digital information could 
be sold off-line. i.e. at the desktop, with end users possibly permitted to browse and try such products before buying. 
[00161 The encryption capabilities of the SPU could be employed to dewypt the information, measure andrecord 
usage time, and subsequently uptoad the usage transactions to a centralized billing service bureau in encrypted form, 
all wHh a high degree of security and dependability. The SPU would decrypt only the appropriate informaton and trans- 
fer it to a suitable storage medium, sudi as a hard disk, for immediate use. . . , »K-^CBII 
[0017] Information metering, software rental and various other applications could also be implemented with an SPU- 
based system, which couW authenticate users and monitor and account for their use and/or purchase of content. whBe 
securing confidential information from unauthorized access through a flexible security policy appropriate to the specific 

application. .... 
[0018] This pay-as-you-go option Is an incentive to Information providers to produce products, as it minimizes piracy 
40 by authenticating the user's initial access to the system, securing the registration process and controlling subsequent 
use thereby giving end users immediate access to the product without repeated authorization. 
[001 9] Other aspects and advantages of the present invention will become apparent from the following descnption of 
the preferred embodiment, taken in conjunction with the accompanying drawings and tables, which disclose, by way of 
example, the principles of the invention. 
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a. BRIgF DESC BIPTIQN OF THE DRAWINGS, 



[0020] 



FIG. 1 is a simplified block diagram of the apparatus In accordance with the present invention, showing the Secured 
Processing Unit (SPU) for performing POPS. 



FIG. 2 Is a simplified block diagram of the Power Block shown in FIG. 1 . 
ss FIG. 3 is a schematic representation of the Silicon Firewall. 

FIG. 4 is a schematic representation of an embodiment of the Silicon Firewall shown In FIG, 3. 
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FIG. 5 is a schematic representation of an alternative embodiment of the Silicon Firewall shown in FIG. 3. 
FIG. 6 is a block diagram of the System Clock shown In FIG. 1 . 
FIG. 7 is a schematic representation of the Ring Oscillator shown in FIG. 6. 
FIG. 8 is a block diagram of the Real Time Clock shown in FIG. 1 . 
FIG. 9 is a flowchart of the f imiware process for performing the Inverting Key Storage. 
FIG. 10 is a schematic representation of the Inverting Key Storage. 

FIG. 1 1 is a block diagram of an embodiment of the Metallization Layer Detector shown in FIG. 1 . 
FIG. 12 is a schematic representation of an alternative embodiment of the Metallization Layer Detector shown in 
FIG.1. 

FIG. 13 is a schematic representation of a second alternative embodiment of the Metallization Layer Detector 
shown in FIG. 1 . 

FIG. 1 4(a) is a flowchart of the firmware process for performing the Oock Integrity Check. 
FIG. 1 4(b) is a flowchart of the firmware process for performing the Power Inte^ Check. 
FIG. 15 is a flowchart of the firmware process for performing the Bus Monitoring Prevention. 
FIG. 1 6 is a flowchart of the firmware process for performing the Trip Wire Input. 
FIG. 17 is a flowchart of the firmware process for peitorming the Software Attack Monitor. 
FIG. 18 is a flowchart of the firmware process for perfomiing the Detection Handler. 

FIG. 1 9 is a simplified representation of the stages of the RItering Process. Including correlating the detectors and 
selecting the responses. 

Pift 20 is a flowchart of the firmware process for perfoming the filtering of detectors and selection of response in 
thf c^m e^ it^ilSe S?S SS^iJon; in thte in^ce. using an SPU-equipped PCMCIA card as a digital cash or 
debit card. 

40 A nFTAILED DFSCRIPTIQN. 

a. General A rchitecture. 

[0021] A flexible archrtecture in accordance with the present Invention permits extension and '^"^J''™^*:^" 
Ste aDDli«.tions without a compromise in security. One physical embodiment of this .nvenfcon is a s.ngle<h.p SPU hat 
I^I^S^S MHz 3^^^^ CpJTbased on the National Semkx,nductor NS32FV16 Advanced Imaging and Commumoa- 
tions microprocessor, but lacking that chip's Digital Signal Processing (DSP) unit -o* meant to 

ro0221 Referrino to FIG. 1 . the gross features of the SPU architecture are described. This description » nrt meant to 
iLrTriricr^Sh^ rf^^^^^^^ as some features have been moved or regrouped in order to gam a better con- 

c:pCur^:^S^^t^^^^^^^^ the present invention. The SPU. Micro Controller 3 is is^a^^^^ 

!S rhininout - such Input regulated by the External Bus Interface Btock 9 and the general purpose I/O Port Block 1 
ISe^d rSng p^ogrTr^^^ via an Internal Data Bus 10 fn^m the onboard ROM Blodc 7. In one 

e::^c3m:rr R^M^BIock 7 is configured at 32 KBytes, and the ^^f-^,'^,'^^^^^ 

KBvtes The Internal System Bus 10 carries all the ma or signals among the SPU peripherals, such asthe address ana 
data^erread aS wrte strobes, enable and reset signals, and the Micro Controller clock signal. CTTL25. 
fotsr Thfs^Tem^tock Block has a programmable Internal high-frequency oscillator, ar^^^^^ the source, through 
SYSCLK 35. for the Miao Controller clock signal CTTL 25. which governs all Penpt^efal funcbons 
[0^4] The Real Time Clock 5 for the SPU follows the IEEE 1212 standard, which specrf.es control and status register 
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architecture, and which builds upon and significantly enhances the UNIX time format (UNIX time being the number of 
seconds elapsed since January 1 . 1 970). The Real Time Clock 5 is implemented through a binary ripple counter which 
is driven via RTCLK 29 by an off-chip external 32.768 KHz quartz crystal 14 in conjunction with RTC Oscillator 14 cir- 
cuitry. Through an offset in battery-backed RAM 8, for example, the Real Time Clock 5 provides UNIX time, and can 
5 implement a host of time-based functions and time limits under ROM Block 7 program control. One firmware routine 
stored in the ROM Block 9 cross-checks the System Clock 2 and Real Time Clock 6 so as to overcome tanpering with 
the latter. 

[0025] The I/O Port Block 1 is a general-purpose programmable input/output interface which can be used to access 
off-chip RAM, and meet general I/O requirements. Off-chip RAM (not shown) would be typically used for information 

10 that cannot be accommodated Internally but. for security and performance reasons, still needs to be closer to the SPU 
than main system memory or disk storage. This information may be protected by modification detection codes, and may 
or may not be encrypted, depending on application requirements. In addition to sending as a memory interface, several 
signals on this port can be used to implement cryptographic alarms of trip wire inputs, or even to zero inputs or keys. 
[0026] The External Bus Interface Block 9 is the communications port to the host system. In one embodiment it is 

IS the means for getting the application commands as well as data to and from the SPU. and is designed to match the ISA 
txjs standard requirements. 

[0027] The Power Block 13 switches between system and battery power depending on system power availability. 
Power from an external battery (not shown) is supplied to the RTC Block 5, the RAM Block 8 and a Status Register 11 
through VPP 24, as well as off-chip RAM (nor shown) through VOUT 23 when system power is not available. The Power 
20 Block 1 3 also provides signals PWRGD 27. DLY_PWRGD 26 and CHIP.PWRGD 28, which, respectively, start the Sys- 
tem Clock2. reset the Bus Controller 4 and enable the isolation of the battery-backed parts of the circuit from the non- 
battery backed parts through the Power Isolation 12. 

[0028] A Silicon Rrewall 20 protects the internal circuitry from any external asynchronous or otherwise anomalous 
signals, conditioning the inputs from the I/O Port Block 1 via PIN lines 32 or the External Bus Interface 9 via 

25 ADDR/DATA lines 33. the RESET 30 to the Bus Controller 4. as well as from a host of security detectors. Some inter- 
nally generated signals, such as the output of the Real Time Clock 5. are similarly conditioned. 
[0029] The Status Register 1 1 is the repository of all hardware detector signals arrayed through the device to detect 
various attempted security breaches. Detectors may include a Photo Detector 16. Temperature Detector 17. Metalliza- 
tion Layer Detector 18 and any Additional Detectors 19 (represented in ghost), for example: high/low voltage detectors. 

30 vibration detectors, sand detectors. Each of these detectors may convey one or more bits of information which, in one 
embodiment, are stored in the Status Register 1 1 . The Status Register 1 1 may also store internally generated signals, 
such as the ROLLOVER 34 signal from the Real Time Clock 5 and the Valid RAM and Time (VRT) bit. used to verify 
the integrity of the information stored in the RAM Block 8 and the time counter in the Real Time Clock 5. 
[0030] In one embodiment, a DES Engine 6 is provided as a cryptographic engine to encrypt and decrypt data using 

35 its DES algorithm. Alternative embodiments of cryptographic engines may be implemented entirely in hardware or in a 
combination of hardware and software, and may use other cryptological algorithms, including RSA or secret algorithms 
such as RC2. RC4. or Skipjack or combinations thereof. The DES Engine 6 receives keys and data for the crypto- 
graphic process from the RAM Block 8 under the control of the Micro Controller 3. The data used could be application 
data supplied from the External Bus Interface 9 or protected data from the RAM Block 8. The DES Block 6, in one 

40 embodiment, performs a decryption of a 64-bit block in 18 clock cycles. Thus, with an SPU rated at 20 MHz, a single 
decryption will take approximately 90 ns, which amounts to a decryption rate of 8.9 Mbytes per second. 
[0031 ] Typically, the SPU receives "messages" in encrypted form. The cryptographic engine (e.g. DES Engine 6) uses 
keys, for exanple. "session keys" specific to a particular application transaction or "session". The cryptographic engine 
is thus used to encrypt or decrypt the messages, or perform other cryptographic operations as Is well-known in the art. 

45 In addition to providing secure message transfer, the SPU also provides secure key transfer. By having, or Indeed even 
generating a "master key" internally (using any of the well-known key generation techniques for public or secret key 
algorithms), the SPU can receive session keys in encrypted form and. treating them like messages, decrypt them with 
the cryptographic engine using the master key. Conversely, the SPU can encrypt and send messages in a secure man- 
ner. The master key. the decrypted session keys and other sensitive information (e.g. the encryption/decryption algo- 

so rithms) are stored in secure rewritable memory on the SPU. as described below. 

i. Power PiQCk. 

[0032] The security requirements of the SPU impose special requirements on the power supply As the Real Time 
55 Clock 5 is used to maintain accurate time and the RAM 8 is used to store and maintain information, both for the field life 
of the product, each must have a continuous source of power, VPP 24, which here is supplied by the Power Block 1 3. 
[0033] Referring now to FIG. 2, the battery VBAT 21 and system VDD 22 voltages are supplied to the Power Switching 
Circuit 101. This circuit uses a conventional analog comparator to determine the higher of the two voltages, VDD 22 
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and VBAT 21 and provide such voltage as VPP 24 to the internal circuitry and as VOUT 23. which could be used as a 
voltage supply for off-chip RAM. for example. The Power Switching Circuit 101 also provides a PWRGD 27 signal, whidi 
is used to indicate whether the entire SPU chip is powered through VDD 22 (the high state), as opposed Jo orty the 
battery-backed sections being powered via VBAT 21 (the low state). In one embodiment, the threshold to™ 
5 when VDD 22 exceeds 1 .2 times VBAT 21 . If the external battery is dead. VBAT 21 is effectively zero, and PWRQD 27 
goes high as soon as VD D 22 is turned on. 

[00341 The PWRGD 27 signal, as not originating from the Internal Data Bus 1 0. would represent a security risk within 
the circuitry Inside the Silicon Firewall 20. if left untreated. However, unlike other signals that are passed through ttie 
Silicon Firewall 20, PWRGD 27 is used to start the System Clock 2. as discussed below, and thus cannot be condi- 
10 tioned and synchronized by the Silicon Firewall 20 in the manner those other signals are treated. Thus. Ihe Power 
Switching Circuit 101 conditions the PWRQD 27 signal by a low-pass filter, which acts as a "glitch eater" to prevent any 
rapid changes in the resultant PWRQD 27 signal and give it a sufficiently narrow bandwidth as to admit to the internal 

[oSsV Two counters, PWRUP Counter 102 and PWRDN Counter 103 are provkled to produce DLY_PWRQD 26. a 
»5 delayed version of PWRQD 27. as clocked by the system clock CTTL 34 signal. These counters may be conventional 
devices as is well known in the art In one embodiment, this DLY.PWRQD 26 signal is used as an input to the AND gate 
31 incident to the Bus Controller 4. as shown in FIG. 1 . thus assuring the SPU is always powered up in the reset state. 
The DLY_PWRGD 26 and PWRGD 27 signals are combined through an AND gate 114 to proAJce another signal. 
Ql^ip PWRGD 28. 

[0036] The CHIP_PWRGD 28 signal is provided to prevent current fkw from the battery-backed circuitry to the rest 
of the circuit that is not powered when the system power VDD 22 is removed, and thus allow for the orderly shutdown 
of the non-battery-backed sections. This signal acts as an early detection system for the system power going away: 
Referring to FIG 1 the CHIP_PWRGD 28 signal is used by the Power Isolation Circuit 12 which isolates the inputs and 
outputs of the Real Time Clock 5. RAM 8 and Status Register 11 from non-battery-backed sections of the Oiap. 
CHIP PWRGD 28 is conditioned in the manner of the Silicon Firewall 20 described below; this process has the added 
advai^age of preventing any in««lid writes to the RAM 8 or Real Time Oock 5 when the power source is Ijeing switched 
[0037] As described above, the DLY_PWRQD 26 signal may be used as a reset. However, if the PWRUP Counter 102 
is powered up in the wrong state. It may affect the reset operation of the rest of the device. The state n^chine in 
PWRUP Counter 1 02 could power-up in a state of continual reset owing to the dual requirements of powenng tip without 
reset and delaying the stopping of CTTL 34 clocking upon power down. To overcome this problem, a separate analog 
circuit VccPUD 1 04 is provided, with inputs SET.PWUP 1 1 0 and CLR.PWUP 111, which respectively, set and dear frie 
output VCCPWUP 107. The V^PUD 104 drcuit also nwnitors VDD 22 such that VCCPWUP 107 will also dear if VDD 
22 falls below approximately 2V In this embodiment VDD 22 is supplied by the Power SwHdiing CircuH 101 via VREF 
115 

35 [0038] The operation of the PWRUP Counter 102 and PWRDN Counter 1 03 in conjundion with VocPUD 1 04 is thus 
as follows. On power up. until the system power VDD 22 comes up above 1 .2 times VBAT 21 . VC(^WUP 112 acte 
a reset to PWRUP Counter 102 and PWRDN Counter 103; aftenwards PWRGD 27 and consequently VCCPWUP 112 
wiU come up, triggering the start of the PWRUP Counter 102. Seven clodt cydes later, as clod«d by CTTL 34. ttie 
DLY PWRGD 26 and CHIP_PWRQD 28 signals will go high. Conversely, when VDD 22 comes down, before it dips 

40 belo^ 2V it wUI drop below 1 .2 times VBAT 21 , thus PWRGD 27 will go low. starting the PWRDN Counter 103 via 
inverter 108 Eight clock cydes later, the PWRDN Counter 103 will trigger the SHUTDOWN 113 signal, which will ac6- 
vate CLR_PWUP 111 . causing VCCPWUP 112 to go low. resetting the PWRDN Counter 103 via AND gate 107 and 
the PWRUP Counter 1 02 via inverter 109. Thus, if the PWRGD 27 signal is tower fbr longer ttian seven do* cydes ttie 
entire device is reset as if power has been completely removed. This delay takes into account transients in the power 

45 supply where VDD 22 goes high but dips betow 2V briefly before returning to an acceptable level. 

H Alarm Wake Up. 

[0039] One embodiment of the present invention disables detection capability when the SPU is running on battery 
so power VBAT 21 only. In an alternative embodiment, in the absence of system power. VDD 22. non-battery bad<ed parts 
of the SPU are temporarily powered through VBAT 21 . As represented in ghost in FIG. 1 . H any detector tnggers a sig- 
nal the OR gate 39 would send an ALARM 38 signal to the Power Block 13. . ^ 
[0040] With further reference to FIG. 2. if VBAT 21 alone was suff idently high to power the whole SPU. a suitably mod- 
ified Power Switching Circuit 101. would upon triggering by the ALARM 38 signal: (0 generate a PWRGD 27 signal 
55 much as seen before: (iO generate a new signal. APWRGD 40. to indicate that the SPU was operating under alarm- 
triggered "emergency" power; and (iiO switch VREF 1 1 5 from VDD 22 to VBAT 21 so as not to interfere with tlie power- 
ing up process. In the continued absence of adequate VDD 22. a SLEEP 41 signal received by the Power Switdiing 
CircuH 101 would make PWRGD 27 and APWRGD 40 go low. switch VREF 1 15 ba*to VDD 22. and so trigger a power 
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down much as seen before, 
iii. tflHcon FIrewrall. 

a 10041] A common assumption, when defining a security model, is that everything inside a sj^em Fotert^ wMe 
eve^yJiing outside Is not protected. In any effort to plan for security features, it is crucial to establish a ctear ui^erstand- 
^ cJS^^sy^em b^undTry and to define the threats, originating outside the tx>undary. against wh-ch the sjje^^^ must 
d^end itsetf In the case the SPU. the system boundary is the silicon boundary, or equivalently the pins^f the SPU 
Se ?he components inside the system boundary are of two types: those responsible for ^^^^^^ 
10 of the svstem- and those responsible for performing other functions. Separating the two types of components is the 
S^Lr^i'rSed me security perlmete^ wS, the area between the security perimeter and ^^fl;^^"^^^ 
tt^e silicon firewall. The silicon firewall's role is thus to defend the security perimeter. One aspect ofthis rote, for ©cam- 
ple. trpr^rSas^cS^^^ inputs from outside the security perimeter reaching inside untreated: such inputs may 

drive the system into unpredictable and uncontrollable states. . , „ » hwi^ m m 

« [00421 T^Miao controller 3 is one Of the least trusted componems in me SPU. preK^^^^^ 

lerify all the multitudinous states of a micro controller. Consequently, the Micro Control er 3 « fPU^ouW be pro^ 
t«;ted from asynchronous or otherwise abnomial inputs, i.e.. signals which are outside the normal operatong mode <J 
S^S<J^cSt 3. Examplesof abnormal Inputs are signals which have 
have neHher valid high nor valid low logic levels) and signals which have timing trar^itons 
20 tion. Not only do Input signals external to the SPU need treatment, but all internal signals which are asynchronous to 
the Micro Controller must be treated by special protection circuitry. . „. ^ » e»™i^«„rt,«^nr 

[00431 A common technique to prevent asynchronous and abnormal inputs is to equip all inputs to a semicondurtor 
chiD with Schmitt trigger devices coupled with latch circuits, which thereby ensure that signals cannot change state 
SeTey are b^iig'impled by the semiconductor chip. However, it is difficult »° ^f^^^^^ "l-l^^^^ 
more Schmitt triggere are slow because of hysteresis effects. The SPU according to the preserrt m^errton uses a ai- 
STnoS^rdeSn to protect all imerfaces to the Micro Controllers, one of thedesi^^^ 

Hteie nShine FiG. 3 shows one embodiment of a state machine 71 0 which could be used as a Silicon Rrewall Sta e 
mS^fn^^rcomprises a data register 712. the state of which is controlled by a clock 714. In this embodiment, ^ate 
mSne 7 0 opS^tes as a four t4te machine. During any time ot^^^ 

In t1 input data (If available) is latched into an input port 716 of data register 712. However, date .s not ava 'able to Je 
outpl,; Srt ^ 7 of data register 712 until t3. Consequently, any metastaUe states of the input data are nulWied by the 

jjotcycle delay ^^^^1^^^ o, a ^ata register 720 which can be advantageously i«ed In state rrachine 71 a 

kegis er 720 comprises two D flip-flops 722 and 724. The output <«7"tL^26 °" W 

terminal 727 of f lip-f top 724. A clock signal is sent to the clock terminals 728 and 729 of flip-flops 722 and 724. respec- 

[OMSrvSi'^ali^ernal signal, which is generally asynchronous. Is applied to the ''"P^^^''^'^.'^\^^X^^SlJ^' 
fts stale (high or low) is latched into flip-flop 722 only at the rising edge of the first ^j^^^^'t^'^^.^ 
same umil the rising edge of the second clock pulse. As a result the output signal at term nal ^6 o^ 
remains at the same state from the rising edge of the first clock pulse to the nsing edge of the second clock pulse, 
regardless of the state of the input signal between the two rising edges. , ■ ■ 

[00461 The state of the output terminal 726 of flip-flop 722. which corresponds to the external signal at the "sjng edge 
of the firet clock pulse, is latched Intoflip-flop 724 at the rising edge of the second dock pulse. "^J'^JJf ?^ 

terminal 734 of flip flop 724 will have a state equal to the state of the external signal at the rising edge of an earlier clock 

SmT] It can be seen from data register 720 that the Input is sampled at a time determined (i.e.. synchroniz^ by the 
dock pulses. In addition, any abnormal signal is filtered by fUp-flop 722. Consequently, the signal connected to the 
embedded controller is a normal and synchronized signal. ^ ^ ' , ^ 

[00481 FIG. 5 shows an alternative embodiment of a date register 740 which can be advantageously used m state 
machine 710. Date register 740 consiste of a multiplexer 742. a D flip ftop 744. a buffer 746^ and a J^J-oe 7^ for gen- 
erating a dod< signal having four t-states In response to an input do* signal on line 750. ^J^^J^^y^"^^ 
is connected to the Input of D flip flop 744. and the output of D flip flop 744 is connected to the input of bufler 746 and 
one of the input terminals of multiplexer 742. The other terminal of multiplexer 742 is conned to an e)rternal asnal (typ- 
ically asynchronous). Device 748 generates a ctodi signal on line 752 which controls murtiplexer 742 such tha^ the 
external asyndironous signal on line 758 Is coupled to D flip flop 744 only at time tl ^Device 748 f so generates a ctock 
signal on line 754 which controls buffer 754 sudi that the output signal of D flip flop 744 passes through buffer 746 only 
at time t3. As a result, the signal on line 756 Is synchronized. 
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iv. Internal System Clock. 

[00491 A system clock compatible wHh POPS faces a series of design considerations: cost, governmental regulatory 
compliance, printed circuit board area, power consumption and last, but most Important, security. The desire for high 

5 performance places a premium on clock speed, which is directly proportional thereto. ^ ^. \u 

[0050] The cost of clocking circuits increases with frequency, and external clocks may represent a sizeable fraction of 
the entire manufacturing cost. The greater the physical extent of the Wgh-f requency circuitry, the greaterthe high-fre- 
quency EM emissions, resulting in both a problem for security as well as meeting FIPS 140-1 requirements. EM emis- 
sions can give surprising amounts of information to sophisticated attackers -- by analyzing the power spectrum, one 

JO might even deduce which type of algorithm is being processed at any particular time. As compared with an internal 
Clock sitting right on the microprocessor, an external dock coupled to a microprocessor cannot be made to comply as 
easily with the FIPS 140-1 EMI/EMC requirements which impose limits on EM emissions. External docking arrange- 
ments can use significant real estate on printed circuit boards and hence restrict design applications. The desire to 
reduce power consumption favors internal clocks: they can operate at lower voltages than external ones, which have to 

15 deal with high outside EM interference; and. they have smaller power dissipation capacitances owing to their smaller 
physical dimensions. Moreover, the presence of an external ckwk altows a potential chip attacker to manipulate the 
clock speed, a factor which may allow it to foil other security devices. 

[00511 Internal oscillators, of themselves, are not novel structures. One can find a programmable internal oscillator in 
Can/er Mead and Lynn Conway. inT^H-rti^n tn VLSI Svstems. Addison & Wesley (1980), pp. 233-236. Another ©am- 
ple is a phase-locked loop circuit which locks upon an ©eternal low frequency reference, as descnbed by Brian Case, 
rsony & HDL Detail Embedded MIPS Cores". Microprocessor Report, vol. 7. na 15. November 15. 1993. This outside 
link through an external reference is completely inappropriate in a security environment, however. 
[00521 Referring now to FIG. 6. the System Clock 2 is implemented using a standard S-dock-cyde shuttown. 5-clo«- 
cyde enable, state machine once a diange request has been detected. The Bus Interface and Decoder 1 51 selecte and 
decodes three types of signals off the Internal Bits 10: the internal system do* signal CTTL 34 whidi is pa^ onto 
Power Blod< 13 as was illustrated in FIG. 1; a STOP.CLK 166 signal to stop the System C'«*2:i^*ejL'*'! ^'°'?t 
OSC_FREQ 172. representing the programmed frequency for the Ring Oscillator 156 The OSC.FREQ 172 signal is 
Stored in the Oscillator Control Register 1 52. and is fed into the Change Pulse Generator 1 53. "[he STOP.CLK 1 66 and 
PWRGD 27 signals are fed into AND gate 164. the output of which is fed into the Change Pulse Generator 1». AND 

gate 165 the set of entry latches 154. the Clod^ Edge Prohibit 155. and the resets for the D flip-flops 159 163. Thus. 

when the Change Pulse Generator 153 detects a change In any of Hs inputs, it generates a pulse 
CHANGE DETECTED 167 which is latched onto the latch 158. The D flip-flops 159 163 act as a shift register, prop- 
agating the latched signal from latoh 158 dovwi the line in five clod< cycles, the cloddng generated by RING_CLK_OUT 
1 70. the output of the Ring Oscillator 1 56. When the signal has propagated through the 'astp flip-flop 1^ it Qenerat^: 
(i) an OPEN_LATCH 168 signal to the entry latches 154 and Oock Edge Prohibit 155: and (ii) a CLOSE.LATCH 169 
signal to the exit latch 157 and the AND gate 165. thus resetting the latch 158. i, „„«ki« ♦k* ri«rt< 

[00531 The OPEN LATCH 1 68 signal, in conjunction with a high signal from the AND gate 1 64 will enable the Clock 
Edge Prohibit 155. Crtiich is a one-shot trigger generating a SHUTDOWN.CLK 171 signal for approximately 120 re. 
allowing a new frequency to be programmed Into the Ring Oscillator 156 without introducing transient glitches. At the 
same time the CLOSE LATCH 169 signal will remain low for one doekcyde. resulting in the output SYSCLK 35 having 
a longer duty cyde tor one c\otiK cyde. and then the data in the Osdilator Control Register 225 will correspond to the 

outout frequency of SYSCLK 35. . ^. . . , . 

[0^1 The Ring Oscillator 1 56 itseH will now be described. To compensate for the wide process variations introduced 
in manufacture, resulting in variances in individual do* rates over a wide range. *f R'"a^S1^'lf!°^^f!J5 '^^^ oZ!' 
ble to sixteen different frequencies of operation: 22 MHz. 23 MHz. 24.8 MHz. 26.2 MHz. 27 7 MHz. 29 MHz. 31 .9 MHz 
34 3 MHz. 37.8 MHz. 40.2 MHz. 46 MHz. 51.2 MHz, 58.8 MHz, 64.9 MHz. 82.2 MHz and 102.2 MHz. The Partcular 
nature of the Micro Controller 3, as well as concerns for the operational compatibility with the ROM 7. dictated that these 
nominal frequences be divided by two before the signal leaves the Ring Oscillator 1 56 and is provided to the Micro Con- 

trdler 3 via SYSCLK 35. ^ . . . .• u-^ i, 4*.^ p. 

50 [00551 Referring now to FIG. 7(a). one can see that this aforementioned frequency division is accomplished by tte D 
flip-flop 210 whose output is RING_CLK_OUT 170. The OSC_FREQ 172 signals are supplied in paire to one of two 
muHiplexers MUX1 204 and MUX2 208. The output of MUX2 208 is fed to the D "fcP 210 

oate 209 The SHUTDOWN CLK 171 signal is fed to the D flip^lop 210 reset and the NAND gate 209. Blod« 201 .202. 
203. 205. 206. 207 are chains Of inverters, represented in FIGS. 4(b). 4(c). 4(c). 4(d). 4(e) and 4(e). respecjvely. 
55 Depending on the state of the OSC_FREQ 171 signals, from (0.0.0.0) to (1.1.1 .1). asserted on -""JP'^^^^f .^UX^ 
204 and MUX2 208 the results yield an effective circuit varying in the number of inverters. In FIG. 7(b) a chain of 8 

inverters 211 218 is shown, eadi conneded to VPP 24 through capacitors 219 226. These capacitors ad to 

swamp all routing capacHance through the drcuit Similariy. FIG. 7(c) shows the corresponding 4 inverter chain, with 
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inverters 227 .... and capacitors 231 234. FIG. 7(d) shews the 2 inverter chain with inverters 235 f ^ 23«- ^^J^f S 

M7aS2S Finally FIG 7(e) also shews *w iriverters 239 and 240. but with only a single capacitor 241 attached to 

^'IX^^i^etlZVel 240. Two inverters are required in this last case. ^^'^^^^^^'^S^^; 
n cortunction with the NAND gate 209. is required to give the ring a net overall inversion. '"''^ J® "'"9 j^^^ 
sS^S^s Se combined propagation delays through all the inverters, l^e NAND gate 209 «nd ttiemultplexers MUXI 204 
andMUX2208whichgeneratesthel6ditferentfrequendesoftheRingOscillatorl56listedabove. 

roo561 At manufacturing time, the frequency selected is based on calibration with an established time ^andard. This 
Srd^iaTbe by *e Re^Time Clocl. 5. or by "Start" and "Stop" time commands timed and serit from a 

t'S si uS^ftVReal Time Ctod. 5 provides the optimal calibration input. This caljbraton is a«^P'«f «1 at 
hp ^ri^h^e secret keys are installed and can only be done in the manufacturing mode. The final set frequency, as 
eL fr^7e I^IS^^^^^^ Osdllator Con^ol Register 152. is stored in the "^^^V^^t^,^ « ^^S'Ti 
SSr nc^-^atile memory. Each time the device is reset, or power is applied, the device assures -self »«t Ih^^nal 8^ 
S^erwv stwed in non-volatile memory is correct by using modification detection codes, as descr bed below If the 
S sS^frit^^^^^^ 't^ed into the lowest four bits of the Oscillator Control Register 225 thL« re- 

TsSblteh n^ro^imal operating frequency of the Ring Oscillator 156. H the final set ^^J^^"^ « "I""^^^^^^ 
ir,^ non-volatile memory, then no value is loaded into the Oscillator Control Register 225. thus leaving it at rts reset 
l^ue L^^™Te R^nT^^^^ 156 at its reset value, which is the lowest programmable frequency ensures proper 
^e^^l^^^ under conditions of non-volatile memory. For example, ft assures that the 'nternal Micro 
S^JUr d<S^iS?lYSCU< 21 6 is never driven at too high a frequency, which could lead to malfunction and possible 
security breach. 



" p»al.Tlma Cioek. 



[0057] For the reasons disdosed above, as well as an innate temperature variability of about 
opting range, the System Clod< 2 represents a secure but somewhat inaccurate timing dev.ce^«^^^ for internal 
c£ddno Of thi Micro Controller 3. but not for keeping UNIX time or to ^ntrol '^'^^^^jr%^;^^J^SS-2^ through 
[00581 Referring to FIG. 1. the RTC Osdllator 14 is designed to produce a 32.768 RT^CL^^^^ 
use of an external quartz crystal 15. Alternatively, one could bypass the RTC Oscillator 14 and generate RTCLK 29 
mrLgh anCeJnaUlS. OSC.ON 42 albws the osdllator to be stopped even though J^^*!;^ ^J^^ 

device. This prevents drain on the battery, as for example, while the system « .n "^^^^^^^ « 
RTCLK 236 from the RTC Osdllator 241 is used to drive the Real Time Clock, as described below. 
S VWth^SeVerTe to 8. the Real Tune Clod. 5 consists of a binary Ripple Counter 302 a Bus Interface arjd 
Ser JiTa SyJiS^roS^ation Blo* 303. The Ripple Courier 302 may be a conventional shift register array wtti 
?5^s al^;S to cTnU fractions of seconds, output via SFC 306. and 32 b«s alloc^^ ^^SSS. sT^'iS^s 
out via SC 307 The value of SC 307. when combined with an offset in the local battery-bacted P«««»s 
Z ^gW-after UNI? 11. The final carry-over in the Ripple Counter 302 produces the ^OLLC^^B^^Q^ 
00601 The BUS interface and Decoder 301 interfaces with the '"«ern«i,Bi« 10 and suppl.^^^ rTC S7is 

25. the aforementioned OSC.ON 42 signal, and signals CLEAR.RTC 304 ^-^CtOCK FrrC306^<^^^^^^^ 
us^ to reset the Ripple Counter 302. CLOCK.RTC 305 allows the Micro Controller 3 to clod, the Ripple Counter 302 
without resorting to RTCLK 29. and thus permits testing of the device. rollover 34 

100611 As RTCLK 29 is an external asynchronous signal, the resulting signals SFC 306. SC 307 and ROLLOVER 34 
So be treaSd by the IJnchronization Blod. 303. in the manner of the Silicon Firewall described earlier Thereafter. 
,he1?C 3U^S^C ^07^^^^^ may be appropriately dianneled through the Intern^ '"i;i;"J,TS;i^rr^^^^ 
the IWIicro ControBer 3. The use of the ROLLOVER 34 signal will be discussed in the context of the Rollover Bit dis- 

SS2? "SiTccoKlance wHh the alam, wakenip feature of the alternative embodiment discussed • « Countd^ 
Sunter 308 (represented in ghost) is set by the Micro Controller 3 via counter control signals sent on me Internal Bus 
?0°d2;,d'SbytrBus^^^^^^ 

308 accomplishes a predetermined count asclod<ed off the Ripple Counter 302 ^!9:«'!.f^J°| 1^°^ 
issue an ALARM 38 signal in the same manner as described above. In addition, ttie ROLLOVER 309 signal, passed 
through OR gate 309. may provide tiie basis of another wake up signal via ALARI^ 38. 

ui ii^^rt'ng l^*^ Storage. 

[00631 It is desirable to place seaet information (e.g.. thedecryption key) in the volatile, onjenerally.re-wrr^^ rn«n- 
Syd the SPU. The secret information will be destroyed if power to the SPU is turned oH. On the ot^er hand^ rf ttie 
s2^et infornSon is placed in non-volatile memory, an attad^r can remove the SPU and at his leisure and by conven- 
tional means examine the information in the non-vdatile menwry. 
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[0064] If secret information is not loaded into the volatile memory property, an attacker may still be able to examine 
the SPU while system power is turned off and obtain the secret infbmiation. This is because the seaet information 
stored in conventional volatile memory may leave a residue on the dielectric material of the SPU. which the attacker can 
read to obtain the secret Information even after power is turned off. When the secret Information is loaded into memory. 
5 the voltage level of the memory cells causes charge to buiW up in the dielectric material of the memory cells. If the same 
secret information is placed in the same memory location for an extended period of time, the dielectric material may be 
permanently affected by the charge of the memory cells. When this happens, it is possible to determine the secret intor- 
mation even afler power is removed from the memory cells. Further, it is possible to artificially "age" the memory cells 
(so that the dielectric material can be permanently affected in less time) by elevating the voltage and changing the oper- 
10 ating temperature of the SPU. 

[0065] One aspect of the present invention is an inverting key storage arrangement wherein the seaet keys are pen- 
odically inverted. As a result, the net average charge across all memory cells is the same, thus leaving no signature of 
a specially-selected key in the dielectric material of the memory cells which would be amenable to detection. 
[0066] In one embodiment of the invention, the inverting key storage an^angement is implemented in firmware. The 
,« firmware includes a key invertina routine which is executed in a predetermined time. e.g., once every 100 ms. A flow- 
chart 800 which includes a key inverting routine 802 is shown in FIQ. 9. Rowchart 800 contains a decision block 804 
which determines if it is time to branch to inverting routine 802. H the answer is negative, programs in the firmware are 
executed (block 806). H rt is time to execute the key inverting routine 802. fkwchart 800 branches to block 808 which 
causes all access to the keys to be disabled. The embedded controller then reads the key stored in volatile memory. 
The bits of the key are inverted and then stored back into memory (block 81 0). In order to keep track of the cun-ent sta- 
tus of the inversion (i.e.. virtiether the key is in a normal or inverted state), a key-inversion status bit is assigned to keep 
track of the status. After the key is inverted, the status of the key-inversion status bit is changed (block 81 2). The access 
to the key is new enabled (block 81 4). Flowchart 800 can now branch to block 806 to execute other finnware routines. 
[0067] It is also possible to implement an inverting key storage arrangement using only hardware. FIG. 1 0 is a sche- 
matic diagram of such an arrangement 820, which contains a JK flip flop 822 and a plurality of memory cells, such as 
cells 824 and 825 The structure of these two cells are identical, and only one will be described in detail. Cell 824 con- 
tains two OR gates 827 and 828. a JK flip flop 829. a NOR gate 830, an invertor 831. and a buffer 832. A dock signal 
on line 834 is connected to the clock input of the two flip flops 822 and 829. A Toggle/Load signal (T/L*) on line 835 is 
used to put the cells 824 and 825 in a toggle state when the signal is at a high value and the cells in a load state when 
the signal is at a low value. Thus, when the T/L* signal is low. the data on line 839 is loaded into memory cell 824. When 
the T/L* signal is high, the JKflip flop 829 will toggle according to the dock signal on line 834. A read signal on line 836 
is coupled to the enable terminal of buffer 832. The read signal allows the data stored in the memory cells to be read. 
The signal on line 836 indicates whether the output on line 839 is the original or the invaled signal. 

35 vii. AddHlonal Sefturity Features. 

[0068] In addition to the features described above, the SPU can certainly be rendered more secure in any nun*er of 
ways Fbr example the physical coating disclosed in application Ser. No. 08/096.537. Tamper Resistant Integrated Cir- 
cuit Structure- filed July 22. 1993. in the name of inventor Robert C. Byrne, and incorporated herein by reference, has 

40 a tamper resistant structure laid down in a pattern which would cover portions of the SPU. but expose others so that 
etehing away the tamper resistant structure destroys the exposed portions. Thus, the SPU would not be easily disas- 
sembled or reverse engineered, because *ie tamper resistant structure would hide the active circuitry and removal of 
the tamper resistant structure would destroy the active circuitry This physical coating would act as a natural adjunct to 
the Metallization Layer Detector (FIGS. 11-13). 

45 [0069] Another securHy feature that could prove useful is disclosed in application Ser. Na fM • 

•Secure Non-Volatile Memory Cell", filed ,1994. in the name of inventors Max Kuo and James Jaffee. also 

incorporated herein by reference, w^ich has an EEPROM cell providing protection against external detection of the 
charge stored within the cell by causing any stored charge to dissipate upon the attempted processing ol the cell. This 
type of EEPROM might fulfill the role of the ROM 7 block, or possibly even substitute for the Inverting Key Storage 

so described earlier (FIGS. 9,10). 

b. Implementation of the Delectors. 

I. Photo Detector. 

[0070] If secure information resides in registers or memory of a VLSI device, often an attacker finds it fruitful to remove 
the packaging of such a device to impact such storage devices directly Ttiis facilitates the investigation of the design 
architecture and makes it possible to probe internal nodes in an attempt to discover the secure information. Such pack- 
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age removal, or de-encapsulation. will thus likely expose the die to ambient light, even ,f '"advertently on the attackers 
Mrt Detecting such ligW could act as input information for suitable responsive countermeasures to take place. 
5o71] The construction of a light^ensitive device can be implemented in many standard CMOS pr^ess^ w|mo|J 
aTeira masks or steps. For example, lightly doped N-type material exhibits a conduot^^rty proportional to the amount 

the aatus Register 1 1. A plurality of such detectors may be placed at strategic places wrthin the SPU. which may be 
used to localize and further characterize the nature of any intrusion. 

II High/Low T ffmr'"^"'''* Detector. 

r00731 The normal temperature operating range for the SPU is 0-C to 70»C. Any temperature above this rarige Jn 
SSfippSio^s^lgZ^^^ be coSTdered'to be the result of an Intrusion attempt by an a^ck.r. 
heat alnerated by orinding away at the chip's outer layer. A substrate diode, well-known to the art. shouU be ^««ent 
TdSCerlltTe ehang'es. although any other comparable device known to those of ooJinary sl.ll in the art for 
performing temperature measurement should suffice. u .K« eiii,-«r. Fir««aii 20 before 

f00741 With reference to FIG. 1. the Temperature Detector 17 signal passes through the S.I con F rewall 2° before 
K a bTJthfstetu: Register ^ 1 . NothTg in acco«Ja^^^ 

a tenperature scale, or a plurality of such detectors, to characterize any temperature differentials within the SPU. 

[00751 Modem day integrated<ircurt analysis equipment is able to probe the ~"t«^f '"^S^J^ttt!^^ 
Dower is applied to the circuit. As a result, ft is possible to detect a key. or other secret data for ttiat "««f « 
^SnSaemenSry one way to protect thesecretke^ 
ToSSrsS^sdJ^SS'^ereon. XowLr.^ 

sS.ently protecting the key through the use of a metal layer, as contemplated in the prior art. is rafter 'neffecUve. 
[STo^r^S to enhance the icurity of the metal layer is for the SPU to contain means detecUng ary^^^^^ 
Sfte met^ layer'which covers the key. or any particularly sensitive data for mat matter, ^PU c^ th^^^^^ 
torespond to the alteration. One embodiment of the invention s shown inPG. ^^^,^f^^*^' 'XJ^^^^ 
met^traces shown in FIG 1 1 as parts 852-857. Each trace is connected to an output pin of a latch 860 and an input 
Si2 T^Lse So latSes are connected to the system bus 868. which is in tum connected to the Micro Con- 
Sl^aS^ e me^S T^?y aS^^^^ connected to the Status Register 11 . Traces 852 and 853 pass «,er a first area 
8M\Ls854and8Mpaioverasecondarea865.andtraces856and857passoverathirdarea 

fS^ ?ur1n^aC^buscyde.thelndivW^ 

iepeiing on L value of a random number generator (either implemented in ^^^^I^^^^X^ bS^^ 
traces 852-857 should be set to a corresponding logic high or a logic low valuft At a later bus cyde. ^tch 862 l^chw 
iirS^Steieirs of traces 852-857. If any of the latched logic levels are different from the logic level onginally dnven 
by latch 860. It is assumed that an attack has been mounted on the SPU. ^. ^.-^ .„atai 

K Another embodiment of the inventton is shown In FIG. 12. The metal layer ,s '"^.^^^ 
traces Shown in FIG. 12 as numerals 902-904. These metal traces are connected to a togic pote-Ja^. F'® ato 
contains a plurality of AND gates, shown as numerals 906-908. and a plurality of memory cells 913-916. Each of me 
SSiati?^6^9W has one inpui temtinal connected to one of me traces 902-904 and one output terminal conn^«J 
to one of me power lines 910-912 of memory cells 914-916. respectively. Theomer terminals of ea* ,^ J^'L?!? ® i!' 
908 areconnSLl to power lines 909-911. respectively. These power lines909.911couW^ 

[0079] When me metal traces are in meir normal condition, i.e.. connected to a logic ^''f P°2"J^!'' '"^^ 'J** 
AND aates are in a logic high potential. Thus, all me memory cells are powered by me outputs of me AND gates. How- 
^er Sty Sie S me traces is removed, me output of me corresponding AND gate will be changed to a logic lov^ 
tJTn's^fl me assodated memory cell. Since me output of an AND gate Is ^-^^fj^^^^^^:^'^ 
AND gate me output of me adjacent AND gate becomes a logic kw. which turns off the memory cell associated wiin 
TeadC-rtAKate. Thissiuence of events propagates until all me outputs of the ^^^gates become a ^cl^ 
As a result, all me memory cells are turned off resulting in me destruction of me data stored merein. This embodiment 
does not require any action of the Micro Conlrolter and couW to a last-drtch de^ensa ^^^w a 

[0080] A mird embodiment of me invention is a LATN cell, shown in FIG. 1 3 as 920. ce^l 3^2° 
latch wfth a weak feedbad. pam so mat any intrusion in me cell will cause me cell to toggle. A control signal ^ "J* «S 
is applied to a transmission gates 924 and. mrough an inverter 926. to anomeMransmission sate f 24 _As a resun.j^y 
oneTf the transmissiongates Is turned on atatlme. When transmission gje9j IS turned oa^^^^ 
passes through an inverter 928 to output invertere 929 and 930. An inverter 931 is connected to inverter 929 in order 
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to provide an inverted output. When transmission gate 922 is turned off. tfie data signal is no longer connected to the 
output inverters; However, the output signal retains its value because of the feedback provided by an inverter 932 and 
transmission gate 924. 

[00811 One of the important features of the LATN cell 920 of the present invention is that the feedback inverter 932 
has weak output power. Thus, if the LATN cell 920 is exposed to radiation introduced by a probe, the feedback path b 
broken and the output value of LATN cell 920 would not be maintained. 

(00821 In all of these embodiments, the outputs thereof could be used as detectors, as symbofically represented by 
Metallization Layer Detector 18. feeding their signal through the Silicon Firewall 20 to the Status Register 11. It should 
not be ignored that the h/letallization Layer itself provides a passive defense to probing, as discussed below. 

IV. RTC Rollov Ar RH and the Clock Integrity Check. 

[0083] As discussed above, the Real Time Clock 5 uses a 32.768 KHz crystal to drive a Ripple Counter 248 which 
keeps UNIX time. Were one to replace this crystal with a frequency source several orders of magnitude higher, while 
the SPU is operating under battery power only, one could conceivably roll the counter over a predetermined number of 
pulses to the point wrtiere, when system power is reapplied, the Micro Controller 3 would not be able to detect that any 
discernaWe amount of time had passed since the previous time it was tumed on. The implications for various applica- 
tions is serious, as for example: metering information, where the time the Information was actually used and the time 
subsequently charged for such use would have little bearing on each other. 

10084] Prior art solutions to detect clock tampering have the drawback that they require the entire system to be always 
tip and running: typically however, in order to minimize power consumption in times of non-use. most of the system is 
powered down while the real-time clock continues to run from batteries. Thus, the problem is to create a mechanism 
that can detect tampering of a real time clock wHhout the use of the external system, such mechanism to be contained 
wholly wnthin the real time clock for security reasons, and be a minimal drain on the total power. 
10085] In the present invention, refening to FIG. 1 . this problem Is solved by the provisten of a rollover bit in the Status 
Register 1 1 . set by the ROLLOVER 34 signal. This rollover bit is configured to be readAwrite mask. i.e. it can only be 
cleared by writing a one to it when it already is set to one. and this write may only come from the Micro Controller 3. a 
feature virtiich enhances security. The Rollover 34 signal Is generated by ttie Real Time Clock 5 described above. The 
32 bits of the SC 305 output, as per FIG. 8, represents a can-y-over at 2^2 cycles, conespondrng to about 136 years 
when operating in conjunction with a 32.768 KHz crystal. This is well within the contemplated lifetime of any SPU prod- 
uct Even clocking the circuit at something like 32.768 MHz. three orders of magnitude higher, were this tolerated by the 
oscillator circuitry woukJ result in a rollover after every 49.7 days, a long time for a would-be attacker to wait, and even 
then such attacker wouW be foiled by the rollover bit feature, as a rollover should never occur within the contemplated 
lifetime of the product, as just discussed. Resorting to a second rollover would not work, as the rollover brt cannot be 
cleared by a second cany-over, as just described. _ , . i u 

[0066] This approach has the advantages of its low cost of implementation, the small amount of SPU real estate it 
requires, and its compatibility with a simple ripple counter archrtecture. yet not inviting additional security nsks. 
[0087] The security offered by the RTC Rollover Bit is supplemented by a general clock integrity check as shown m 
FIG 14(a). The process begins at step 551 by reading back from RAM 8. or some special register, a pnor readout of 
the Real Time Clock 5 stored by this process 552. A monotonicity test is performed by comparing the present time with 
the prior stored reading 553. If the present time is less, a security problem has arisen and is signalled 560 and the proc- 
ess shouW then terminate 558. It the present time Is indeed greater, then it is stored for a future monotonicity test 554. 
Next a fixed benchmark performance test Is conducted 555; many of these types of tests are well-known in the art and 
need not be alluded to here. The important thing is that such test take a given number of system ckwk cycles. CTTL 25. 
such length established during production time testing or alternatively, clocked at run time fbr the given number of 
cycles At the completton of the benchmarittest. the completion time, as measured by the Real Time Clock 5. should 
be stored 556. Thus, the benchmark test elapsed time, as measured by the Real Time Clock 5. can be calculated and 
compared with the number of CTTL 25 clock cycles. The initial calibration of the System Clock 2. that e, the setting of 
its operational frequency, should provide the necessary conversion factor between the Real Time Clock 5 and the Sys- 
tem Clod< 2 allowing such a comparison. As described eariier. the System Clock 2 also exhibits a considerable degree 
of variability' with tenperature; thus, the time comparison should take into account some operational tolerance 557. If 
the comparison falls outside this tolerance, the security problem shouW be signalled 559. but in either case the process 
would then terminate 558. 

V. VRT Securit y Bit and the Power Inteoritv ChecH. 

10088] The VRT Security Bit is provided to inform the system that both the battery and system power have simulta- 
neously dropped below an acceptable voltage, for example 2V When that occurs, any volatile storage infbnnation. as 
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oil fh« time raunt in the Real Time Clock 5 may be lost. References to RAM 8 In this context will be deemed to iiiclude 
well the t>me count inthe Rea Time ^^L,^ f,g i «,e VRT bit may be implemented as a special bit in the Status 

M <SS S2lr?vS1^S^8 ReJSwrite liSes 36. The VRT bit is used in conjunction with '^^^^"^^^ ^'l^' 

Ku "in . «eu™. low pcwsr «»; in Mh« wo«<s. although p..ssntl>- ch«te o* Ih. po«r e«.- 

i«)lb«lFusledind80thispcoljl«m«hoi*lb««lgnall«d261and(b«pioc«ssoxiBa7. ^ ..„j«^^» 

Smi R™lv*»e is *e scenario rfw. n»dific«lon was d«aa«l. ,« VRT is 0 - th« moait«»ion det«Bon X 
SL S»« R»i 8 in a^Indon, cortiguration. i.» It is said U ba m Ih. manula=«xing stats. The Mmma .s a 

SSrsisi-sri^r^rrrs'n::^:';?^^^^ 

d^te sJch^ ttie toys may be loaded, and a modification detection code performed on the entire conterrts o< RAM 8 
a^st<i2l 4?^n1S.™nalJ. STe SPU w«l set the VRT brt to 1 . putting it into the nom^ai operatng state 266. after 
which the process may exit 257. 

vi. Bus MonHori na Prevention. 

10093] With PDPS one is concerned with protecting secret information which, among other objectives '"^Hes thv^rt- 
aZpt to monitor the internal data transactions that carry secret information. It « ^Sirl^uino Te^miS 
D^iina PDPS must have input and output ports, taking in data, performing operations on this data uang the nternal 
S7rJ^Son'i:^TeXu«ing°^e reTuWng data. If an integrated ^^-^^^^J^^^^^ '^Ta rarmXe 
secret information contained in the device could be extracted through an input or output port, or if a random failure 

within the device caused this to happen, then the PDPS system would no longer be secure. 

SKl PrS?SlSron7for keepTsecret information have involved restricting such infornr«tion to 
Single rteS^ted ci«urt chip, thus preventing an interloper with standard evaluation tools from nionrtc.ing inte^-c^p 
ite Ste a.53^ discerrfng the secret information. This confinement approach required a high degree of chip 
frtiratoS ?n order^t a llTunrtoSs needing the secret information are implemented on the same piece of silicon. Also. 
oZ?poI?lrfles^^^^^ cuits would need to be disabled while secret information was being .nter- 

rSj57"??e% solutions relied on the difficuKy in modHying already .f-P'-*«::«"t Scl? 

isno longer the case, as semiconductor evaluation tools have drastically improved in their sophis^icajon and 2^'^' 

ies K ten! rossiWe to modify parts of an integrated circuit without damaging the other parts or the ch^s°f 'S^' 
Z T^uH S^^°<S woilSkeep its secret information on internal buses only, could now be modrfied to transfer 
. h^ i^rmtiSTto^tst^^ This is a lot easier to implement than creating specially-made probes to tap 

mo S^Sn^JlS.* rsS!,uld SXIed that even random failures ^f^';,-^":,^^ 

result in a similar scenario. In both cases, therefore, monitoring the input and output ports would allow the secret imor 
'"^TelSinllch to combat this problem, in the present invention, is to create a mechanism internal to the 
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chip that verifies that the original design of the input or output circuitry has not been modified by either an attack or ran- 
dom failure, before bringing out any secret information onto the internal bus. This is accomplished by interrogating crit- 
teal circuit components to ensure that they are intact and functioning correctly The detection of a security breach could 
thus be acted upon accordingly, but at the very least, the bus should be disabled from bringing out any secret Informa- 
5 tion. Also, the secret information should be brought out in several pieces, which has the virtue that, were a random hard- 
ware fault to occur precisely when secret information was brought onto the internal bus, then only a small and probably 
useless portion would be compromised. 

[0097] The SPU contains ports that allow data to be transferred from an internal secure bus to external buses. The 
irrplementation is brought about, in one embodiment with special circuitry that is added to the input/output ports and 

10 special routines in firmware that are executed by the internal Micro Controller. The internal Micro Controller keeps an 
internal copy of the last data written to the ou^ul register of that port. The internal Micro Controller reads the contents 
of both the input and output registers; typically only the input registers can be read by the internal Micro Controller. 
Before bringing secure information onto the bus, the Micro Controller interrogates the port to ensure that the last valid 
data written to the port is still in place; otherwise, the Micro Controller does not bring secret information onto the bus. If 

15 valid data is in place, then a portion of the secret data is brought onto the bus and transfenred internally as necessary 
The port is again checked to ensure that valid data is in place in the input/output port's output register, if the secret data, 
or any other data, is detected in the ports then the Micro Controller does not bring any other secret information onto the 
bus. This is continued until all secret information is transfenred to its internal destination. 

[0098] It should be noted that the use, or non-use, of the Bus Monitor is a process controlled from firmware. Referring 
20 to FIG. 15. this process shall now be described in detail. Upon the Start 320. the Microcontroller 3 determines whether 
secret data needs to be transferred onto the Internal Bus 10 in step 352. If not. data may be transferred on the Internal 
Bus 10 in the conventional manner 353. tt secret data is to be transfen-ed on the Internal Bus 10. the Micro Controller 
3 reads back the output port registers 354. and stores them in temporary storage 355. In one embodirnent, before 
secret data is moved onto the Internal Bus 1 0, non-secret data is sent over the Internal Bus 1 0 as a test 356. The output 
25 port registers are again read back 357. and compared with the previously stored read back 358. Should they prove dif- 
ferent, the process aborts and signals the securrty problem 325 and exits at step 362. but if they are the same, the proc- 
ess may proceed, as part of a loop, to determine whether any and all parts of the secret data have already been 
transferred on the Internal Bus 10 in step 359. If not. the next part of the secret data is moved on the Internal Bus 10 at 
step 360 and then the process loops back to step 357 to read back the output port registers again. If all parts of the 
30 secret data has been transferred, the process loops back to step 352 to control further data transfers on the Internal 

Bus 10. . ^ ^ ^ 

[0099] This approach has the virtue of relatively low cost implementation, without any special semiconductor process- 
ing. It also guards against combined physical and electrical attacks, as well as random failures. This system, by being 
implemented in multiple blocks within the integrated circuit, in conjunction with firmware operated by the Micro Control- 
35 ler. would be expensive and difficult to reverse engineer. 

vli. Trio Wire Input 

[0100] Many of the concerns regarding attack on the inpuVoutput pins of the SPU. described above in the context of 
40 the Bus Monitor Prevention, may be addressed through monitoring of just these pins, providing cryptographic alarms or 
trip wires to just those kind of attacks. An attacker may be monitoring any given pin. to determine its functionality. The 
PINs 32 of the I/O Port 1 . being programmable, are ideally suited to detect any such unexpected read or writes. Fur- 
thermore, they may be used not only to detect an attacker usurping these PINs 32, but may also be used as inputs from 
off-chip external detectors, such as a battery of photo detectors arrayed inside a PCMCIA card. 
45 [0101] With reference to FIG. 1 6. the process that begins at step 401 will now be described in detail. A given bit. the 
Xth bit. on the I/O Port 1 is set to a 1 402, The process waits until the operating system has determined it is time for the 
I/O Port 1 to be checked 403. This should take into account, for instance, when such pin needs to be used for regular 
I/O operations. When such time arrives, the Xth bit is read 404 and checked if it is still a 1 405. If so, the process may 
return to its wait state at step 402. Othenwise. the process aborts and signals the security problem 406, and the process 
so exits 407. 

gnftware Attack Monitor, 

[0102] One of the least expensive ways to defeat the security system in a hardware device (which may contain a plu- 
ss rality of components such as a microprocessor, PAL's, etc.) is to mount a random data electronic attack on the hardware 
device. Specifically, an attacker could send signals (which may be commands, data, or random signals) to the input piris 
of some of the components in the device and monitor the output pins of the same and/or different components. This 
kind of attack requires little or no special hardware, and the attacker may be able to learn confidential information con- 
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tained in or protected by the hardware device. 

[01031 A typical attack strategy is now described. An attacker woukl monitor the hardware and software operation o 
tKUn^nte for some peri<S^of time during normal operation. As a resu«. the attacker coukJ determine m^^^ nomja 
command structure of the programmable components in the hardware device. The attacker would then create hisAier 
5 ^ rnimr^sequences (e°g.. by slightly modifying the commands or the command ^P^'^*^^- 

entirely drfferent Smmands) based on the information obtained. The reaction of the components to ^ese commar^ 
sequences is then recorded, as thus building up a "characterization datebase." As ^P^^^JJ" °^ 
becomes understood Jhesignalssent to the components are no longer random but aredesigned to ideritrf^ 

that could defeat the security of the system. . , ^- 

10 [0104] itcanbeseenfromtheaboveattackstrategythatthecomponent8inthehardwaredevice.ind^^^^ 

priceiso".^ill receive a large number of invalid commands, at least during the initial phase of ^^^^'^^"^^^^ 
one aspect of the present invention is for the SPU to delect the occun-ence of an excessive number of ''~a''d wnimafvte 
Tr^ S^L appr«J)riate actions to defeat or hinder the attack. One should bear In mind that some Pe^^^^^V '""^cer^^ 
Tuitions genSate a series of Invalid commands, as for example, when a computer upon boot-up interrogates all 
IS peripheral devices and ports to determine » they are present and active. ^ . , ■ ^ „..^k^,m 

[0105] One means by which to measure an "excessive number" of invalid commands is to determine the number of 
Lia commands per unit time. The appropriate time unit can be determined by: ( 1) the rollover tme of a ~"nt«^ dnven 
ITan collator. ^ as RTCLK 29; (2) a predetemiined number of ticks of the Re^l Time Clo* 5; (3) a^<^are 
timing loop. If the number of invalid commands per unK time exceeds a predetermined value ( limit parameter"), appro- 

so priate action will be taken by the SPU. «„„u u«..i„„ a=«w.iaiaH 

10106] In some situations, it may be preferable for the SPU to set several limit parameters, each hawig an associated 
action FIG. 17 contains a flowchart 940 which includes four limit parameters. Note that the number of limrt parameters 
is illusiralive only, and any number of limit parameters may be used. The flowchart begins at «»«P^^° 
values of each of the four limrt parameters 942. The flowchart then branches into a loop consisbng of "octe W6-966^ 
101071 In block 946, the SPU determines whether a command is valid. If the command is valid, it is processed in the - 
egular manner (block 948). The flowchart then branches back to block 946 to fetch and examine another command. J 
the command is not valid, ftowchart 940 goes to block 950. which calculates the number of '"^'aW corn^^^^ un. 
time. The resuH of the calculation is compared wrth the first limit parameter Jlock 952)^ 'Hhe resuH -j]!^ " ^^^^ 
limit parameter, then no temper-reactive action is taken, and the flowchart branches back ^ btod^ to p«^ess^^ 
next command. If the result is larger than the first limit parameter, the process generates a signal indicating a frst level 

[Om? The ft^S^th^ branches to block 956. which compares the number of invalid commands per unit time with 
a second limit parameter. If the nun*>er is less than the second limit parameter, then no additional action « takeoand 
flowchart 940 branches back to block 946 to process the next command then. If the number is larger than the second 

35 limH parameter, the process generates a signal indicating a second level securrty problem (b'o* 9W)- 

[01091 The flowchart 940 then branches to block 960. which compares the number of invalid commands per t^e 
with a third limit parameter. H the number is less than the third limit parameter, no additional action 'Statenaridf tow- 
chart 940 branches back to block 946 to process the next command. H the number is larger than the third limit param- 
eter, the process generates a signal indicating a third level security problem (block 958). ^ „ 

40 [01101 The flowchart 940 then branches to block 964. which compares the number of invalid commands per unrt time 
Uhafourth limrt paiameter. If the number is less than the fourth limrt parameter, noadditionalactro^ 
chart 940 branches back to block 946 to process the next command. If the number is larger than the fourth limit param- 
eter, the process generates a signal indicating a fourth level securtty problem (block 958). , ^ 
[0111] It is of course up to the supervisory program to decide what steps to take in response to signals of the vanous 

« limit securrty problems. The SPU can be programmed to take any or all appropriate actions. 

e. Proarammabie Security. 

[0112] The Programmable Distributed Personal Security System is based on the orchestration of three conceptually 
distinct, but nonetheless, interrelated systems: (i) detectors, which alert the SPU to the existence, and h^p charartenze 
the nature, of an attack; (ii) filters, which correlate the date from the various detectors, weighing the severity erf the attack 
against the risk to the SPU's integrtty, both to rts secret data and to the design ttself: and (liO responses. ^^'^J 
termeasures. calculated by the filters to be most appropriate under the circumstances, to deal with the attack or attacis 
present The selection of responses by the fitters would be said to constitute the "policy" of the SPU. The P;^"^ 
tion permits a wide capability in all three of the detectors, filters and responses, allowing a great degree of flexibility for 
programming an appropriate level of security/ipolicy into an SPU-based application. ^, epii arrhitpr 

[0113] The effectiveness of this POPS trio is enhanced significantly by the other design features of the SPU architec- 
ture disclosed herein, for example: the Power Block 13. Power Isolation 13. Silicon Firewall 20. System Clock 2 and 
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Real Time Clock 5. and the Inverting Key Storage. Although the implementation of some of these features creates secu- 
rity barriers, which do not strictly fit into the detector/filter/response paradigm, the presence of these bamere certainjr 
slows or even thwarts an attacker s progress, allowing for more time to detect an attack, filter out the characteristics of 
such attack and thus make a more measured response thereto. 

5 

I. Detection. 

1011 4] A wide variety of detectors have already been disclosed some implemented in hardware, others in f innware. 
Some may bear witness unambiguously to an actual physical intrusion into the SPU. such as the Metallization Layer 
10 Detector 18; others such as the Photo Detector 1 6 may be triggered by noninvasive nrwans such an X-ray of the SPU. 
or by very invasive means, such as the actual de-encapsulation of the chip. Again, the purpose at this stage is not to 
decide on the course of action, nor even to coordinate all related information: H is simply to report the detection and 

1011 5]°" Referring to FIG. 18. the process of how detectors are generally handled will now be described. "TTie process 

IS begins 451 by a decision of whether the detector signal is generated by hardware or f imiware 452. The exact nature of 
how this step is taken is uninportant. Here it is represented by an inten^upt generated in the Micro Controller 3. but it 
could just as easily be based on some periodic polling of registers or any other equivalent method well-known to prac- 
titioners in the art. Even the distinction between firmware and hardware detectors is at a certain level inelevant. as the 
parallelism present in FIG. 18 shows. If the interrupt was generated by hardware, the Status Register 11 would then be 

20 polled 453 In this implementation, the key to determining whether indeed any hardware detector was activated was that 
one or more bits of the Status Register 1 1 should have changed from the last time it was read 454. If so. the SPU could 
then take actions as dictated by Hs programmed policy 455. If not. either an error has occuned owing to a talse detec- 
tion or certain operational features are in play, such as «ie signal owing to a periodic v«l«-up of the SPU under battery 
power. In either case, action dictated by policy, given such an en-or or feature, should then be taken 460. Alternatively. 

25 at step 452 had the signal originated in firmware, the process vrouW set about determining the routine generating it 
461 If such routine proved to be a valid one 462. again action should be taken as dictated by policy 455. Othenwise. 
action consistent with this error or possible feature should be taken, again as dictated by policy 463. Ail the aforemen- 
tioned scenarios thereafter converge. If. in accordance with one aKernate embodiment disclosed herein, an alarm 
wake-up capability is provided, and the process was invoked owing to such an alarm 456, the process would then gen- 

30 erate the SLEEP 41 signal 459 and terminate 458. Othenwise. the process wouW return from interrupt or whatever 
housekeeping required in accordance with the particular implementation used 457 and then tenninate 458. 

ii. Filtering. 

35 [01 1 6] The programmable filtering process lies at the heart of PDPS: without it one merely has hardvirired and indis- 
criminate responses to various attacks. With reference to FIG. 19. this process itself consists of two stages: (i) conelat- 
ing signals produced by the various detectors to ascertain the attacks involved (FIGS. 19(a). 19(b). 19(c)); and (n) 
based on the attacks involved, to select an appropriate response (FIGS. 1 9(d). 1 9(e). 19(f)). There are, of course, oper- 
ational factors involved at both stages of this process. These factors may be static and intrinsically related to the type 
40 of application, the architecture of the SPU. etc.. or they may be dynamically varying and related to, for example: (i) the 
prior history or frequency of detected signals, responses, or all events; 00 the present state of the SPU; (HQ the present 
stage or mode of the application; (iv) the potential harm a given attack may represent: or (v) combinations of factors or 
detectors for example, coming from a given set. occurring in a particular order, or occurring within a fixed time frame. 
[0117] The conditions whereby the detectors are conrelated are as follows. In FIG. 19(a). a false alarm condition is 
45 shown. A signal is detected. D. 501 . without corresponding to any real attacK Ao 502. There are various means Iv 
which such a false alarm could be discerned. For example, the detector producing the D, 501 signal could be polled 
once more to determine whether the first reading was spurious or not Alternatively. it may be inferred from the state of 
other detectors. Such a scenario vnll be discussed in the context of FIG. 19(c). 1FIG. 19(b) demonstrates an opposite 
extreme where a signal Db 603 corresponds unambiguously to one attack, A^, 504. However, most attacks will be char- 
acterized as in FIG. 1 9(c). where each of one or more detectors. D^ 505. D^z 506 and Dc3 507. in conjunction vwth zero 
or more factors. F^ 508, F^z 509 are required to fully characterize a given attack. A^ 510. 

[01 1 8] The selection of responses to attacks fall into the following categories. There is. of course, the non-response 
Ro 512 in FIG 1 9(d) whereby no action is taken for a given attack. Ad 51 1 . This m^ owe to a lack of capability, a delib- 
erate design choice, or an application decision. In FIG. 19(e). analogous to the unambiguous condition of FIQ 19(b). 
there is the unconditional response R« 514 to an attack A. 51 3. This may represent a last-ditch scenario, whwe all outer 
defenses have been breached and some unequivocal and serious countenneasure needs to be taken. On the other 
hand rt may also be an application decision. Finally, in FIG. 19(f). there is the general scenario where one or more 
attacks A,i SIS. Ae 516. in conjunction with zero or more factors, F„ 517. Fe 518. Fq 519. must have been or are 
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oresent in order to select the response Rf 520. 

[0119] Bycustomtailoringtheoorrelationofthedetectorsignals.aswellastheseledionoftherespor«^^ 
maWe security system can Ije application- as well as enviroriment-specific. 

Hi. BfiSBflOses- 

roi201 The final system of POPS involves the provision of a wide variety of responses, to allow for a rich and full set 
SeJiielsu^es^^^^^ These responses ^--^^^Z^^TJI^V:^^ 2 

passive: (ii) alarms; (iii) decoy activity: (iv) restriction of access: and (v) destructive. Examples of each are given in 
TABLE I. which is meant to be an illustrative, but by no means exhaustive, list. 



TABLE I 



Examples of Typical Responses 




Passive 


Alarm 


Decoy 


Restricted Access 


Destructive 


• Non-response 

• Log attack inter- 
nally 


• Signal local compu- 
ter 

• Signal remote com- 
puter 

• Set I/O Port pin high 


• Random command 
response 

• Random external 
bus activity 


• Disable SPU for 
period of time 

• Require recertifica- 
tion 

• Disabling use of 
keys, passwords 


• Destroy Keys 

• Destroy secret data 

• Disable SPU per- 
manently 



roi21l A oassive response would be one where the SPU conveys no external signal, nor functions in any observable 
Sr drff^r^^fSrrn^^l mode of operation. This would of course include the dassic "non-response dis- 
cussed earlier but also an on-board logging of the atta<* with, its type, timestamp. context, etc. 
Sl^ 1^ Lm r^nse ^uW indeS cS,nvey an externally detectable signal, "me SPU mays|gnal the ^"•"9 ^PP^' 
StiS f«^?nSSeTSert the user that the SPU is aware of the attack and may have to proceed to "^o^e drastic r«eas- 
nrt dSiitinued. In a situation where the SPU is connected via a network or modem to some 
monitoring co^S^et Sffor^Lple. in an infbrmation metering context, the SPU may signal that rem^e <»^^^^ 
tenS7e3^«e; is attempting to attack K. On the ha^Jware level, an alamn may be implemented simply by setting 

foSrtd^ZrS^^^^te ^^^^^^ departs f«,m the normal mode of SPU activHy. K may indeed mimic valid SPU 
S E^nSi ZTb^ to^Urte SPUcommands. or to gene^te signals on the Extern^ Bus Interface 9. either 
selected at random or from some predetermined set. x,^.„ normal mode of SPU ooeration 

r01241 A restricted access response would be to disable some functions from the normal mode of SPU operat on^ 
Kles in?iSe SSSng the SPU totally tor some period of rime or until recertified in some manner, or disabling 

^T'^^e'^tTSS.^^o.se. v^i* disa^es functionality of - P^-^^^^^^^ 
include destruction in memory, by erasing keys or other secret data, or permanent physical disablement, such as the 
knirning out of internal fuses. 

d. Attack Scenarios . 

[0126] Now that the overall stmcture of the invention has been lad out. it is fruitful to descrtoe jn detail 
attack scenarios, the manner in which they are conducted, the information or effect tiiey wish to achieve °f ^cc^- the 
dStanTearSTo the SPU that would thwart such an attacK factors that are relevant in reacting to such attacks, and 
S Cn^s ap^r^riat^^^ such an attack. A summary of the applicable disclosed SPU Matures, detectors and 
rSniiTs t?Se^Sin TABLE 11. These scenarios are by no means exhaustive, but merely illustrative. AO further 
references, unless specified ottienwise. are to elements of FIG. 1 . 
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TABLE II 



Summary of Attack Scenarios 


Attack Type 


SPU Protective Feature(s) 


Triggered Detector(s) 


Suggested Response(6) 


Electrical Attack on I/O 
Ports 


• Silicon Firewall 20 

• Alarm wake up 


• Bus Monitor 

• Trip Wire Input 

• Software Attack Monitor 

• Metallization layer oeiecaor 
18 

• Photo Detector 16 


• Random command 
response 

• Random external bus 

activity 

• Disable SPU temporarily 

• Disable SPU permanently 


Clock Attack 


• Silicon Firewall 20 

• System Clock 2 

• Real Time Clock 5 


• RTC Rollover Bit 

• Monotonicity test 

• System/Real Time Clock 
cross-check 

• Temperature Detector 17 


• Use other clock 
tions 


Key Attack 


• Battery-backed RAM 8 

• Metallization layer 

• Inverting key storage 


• Metallization layer detector 
18 

• Bus Monitor 

• VRT Security Bit 


• Disable use of keys 

• Destroy keys 


rnysicai AnacK 


• Phvsical coatina 

• Metallization layer 


• Temperature Detector 17 

• Photo Detector 16 


• Disable keys, secret data 

• Destroy keys, secret data 


Combination Attack 


• Any/all of the above 


•Any/all of the above 


• Any/all of the above 


User Fraud 


• Silicon Firewall 20 

• Power Block 13 


• RTC Rollover Bit 

• Monotonicity test 

• System/Real Time Clock 
cross-check 

• VRT Security Bit 


• Signal Local Computer 

• Signal Remote Computer 

• Disable metering func- 
tions 

• Require recertif ication 



I. Electrical Attack on I/O Ports. 

[01271 Arguably, the simplest form of attack would be an electrical attack on the I/O Port 1 . This type of attack requires 
very little special hardware. The attacker simply uses the same system configuration that is used in the normal appUca- 
tion. however instead of using the intended software, the attacker aeates his own code to interrogate the device. The 
attacker could go one step further and place monitoring equipment on strategic points in the circuit, as for example, the 
SPU pins or PAL outputs. This vMOuld allow the attacker to more thoroughly characterize the chip in its normal operation. 

and when it is under attack. . ^ ^ ,i„«„„,««i««ar 

[01281 The typical approach would be to monrtor the hardware or software for some period of bme dunng normal oper- 
ation From this the attacker could determine the normal command sequence. After this characterization, me attacker 
could then create his own command sequences based on the information he has obtained. He could try to slightly mod- 
ify the commands or the command operators to get the device to perfomi different functions. He mjgW also try to issue 
commands that he did not see before to see how the device would react. All during this process the attacker would be 
recording the responses to the different stimuli. As patterns are detected, the data that is issued to the device is no 
longer random but designed to further evaluate the particular operation. This continues until a P^'^'^f^P^l^^. 
fully characterized. It would be the attacker's intention to identify commands or responses that could defeat the overall 
system. For example, the attacker might be tooWng for a reset operation command, and could then issue such com- 
mand at inappropriate times. 
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[01291 The Silicon Firewall 20 would prevent asynchronous signals from the attacker overwhelming the system. The 
Software Attack Monitor <FIG. 17) would l)e very sensitive to the overall characterization process. Possibly appropriate 
responses, in accordance with the measured stages of the Software Attack Monitor, would be to lead an attacker astray 
with random responses, or eventual disablement of the SPU. 

n. Clock Attack. 

[0130] Many applications of the SPU could ernploy the Real Time Clock 5 advantageously, as for example in informa- 
tion metering. However, the Real Time Clocks could be attacked in a variety of ways. The external crjretel IS couW be 
substituted to modify the frequency of the RTC Oscillator 15 and hence the internal Real Time Clock 5. -The SPu is 
designed to perform integrity tasks, one of which is to check the Real Time aock 5 against the System Clock 2 to see 
if it is operating in the correct range (Fia 14(a)). However, in one embodiment, these integnty tasks would be per- 
formed only when the entire system is powered: when system power VDD 22 is removed, when only the battery^Mcked 
Real Time Clock 5 remains operational. It Is at this opportunity that an attacker could attack the external arystel 1 5 with- 
out immediate detection. As the Real Time Clock 5 uses a simple binary ripple counter, an attacker could advance the 
counter until it rolled over. Subsequently, the attacker could continue to run the dock forward to whatever given time 
reading he wished. This is analogous to the resetting of the odometer of a used car by an unscrupulous dealer. 
[0131] The inaccessibirity of the Internal System Clock 2 to attack, and the Real Time Clock 5 buffering the time signa^ 
through an internal Silicon Firewall, certainly stand as barriers in the attacker's way. The System Clod^Real Time Clock 
cross-check of FIG. 14(a) would delect any switch on power tp. H an attacker tried to set the System Ood^ 2 off by cool- 
ing or heating the SPU. the Temperature Detector 17 would give such approach away, as well as a clock cross-check, 
hitherto successfully. eventuaDy failing for falling outside the operational tolerance. Furthemwre. an attacker attempting 
to roltover the Real Time Ctock 5 wouW cause the ROLLOVER 34 signal to go off. A possible response would be to use 
the System Clock 2 to whatever extent possible in Ueu of the Real Time Clock 5 should that dock prove untrustworthy: 
However, that option is highly application-dependent, in an information metering context A more likely response would 
be to disable ail metering functions. 

III. Key Attack. 

[0132] Secret information is stored in volatile memory, such as RAM 8 within the SPU. rather ttwn ROM 7. This is 
done to prevent an attad«r from gaining access to this information by simply de-encapsulating the SPU chip and read- 
ing" the schematia However, when keys or other such secret infomiation are stored in volatile memory within a chip, 
one can deprocess the chp and detect residual charge in the volatile memory which may reveal the contents stored 
therein The act of deprocessing would cause power to be removed from the volatile memory, thus causing the data 
within the memory to be lost, as the charge decays within the semiconductor. However. H the volatile memory contains 
the same data for a protracted period of time, charge may build up in the dielectric portion of the memory cell, charge 
which may be feasible to detect despite removal of power. Alsa it may be possible to artifidally age the memory device 
by elevating the voltage and changing the operational temperature of the silicon, thus making the SPU even more sus- 
ceptible to this memory effect ^ . ^ 
[0133] Asdescribed earlier, the Inverting Key Storage (FIGS. 9. 10) feature would thwart such key attack by averaging 
out any residual charge. The de-encapsulation process wouW be rendered more difficult by the presence of the Metal- 
lization layer, and the Metallization Layer detector 18 would be set off the moment such layer was cut. The protocd of 
the Bus Monitor Prevention (FIG. 15). transferring only parts of keys from RAM 8 to the DES Stock 6 via Internal Bus 
1 0 would hinder tracing Uie keys, as well as giving away such attempts. Possible responses might be to disable the keys 
or ott»er secret data from use. or where the security concerns are very high, or the assault unrelenting, to finally desb^oy 
them. Active zeroization coukJ be used to assure such process of erasure is complete. 

Iv. Physical Attack. 

50 [01 34] An atta*er might try to de-encapsulate a chip in order to reverse engineer it. Simple observation of the chip 
layout can lead one experienced in the art to determine where the Micro Controller 3. I/O Port 1 , memory, etc.. are 
located. Recognizing the pedigree of a chip. i.e. knowing the manufacturer and the series number and prior chj^ »Jere- 
from can also aid in the resolution of functionality. Some structures are laid down randomly; others such as RAM ana 
ROM are well-known and normaUy laid down in regular patterns via chip design macros, meaning that large areas of a 

ss chip need not be reverse engineered. Detailed resolution of the chip layout can result in reverse engineenng of a chip, 
a process that might cost as much as $100,000 with toda/s technology. 

[0135] Semiconductor industry evaluatton tools now provide the capability of making edits to an integrated circuit after 
processing has been completed. For example. Focused Ion Beam Mill technology has advanced to the point where the 
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equipment is capable of selectively removing or depositing material on the surface of an integrated circuit. These 
devices can remove layers of metal and oxide and also lay down layers of metal on the Integrated drcuifs surface. 
These devices are ostensibly used to debug integrated circuits by cutting metal traces that connect logic gates and by 
reconnecting the logical gates In a different manner. It is feasible to lay down internal probes; however, it is less costly 

5 and less difficult to modify an existing I/O port. 

[0136] This kind of attack would first be thwarted by the physical coatings on the SPU. then the Metallization Layer; 
both acting to make difficult the process of ascertaining the chip layout and to actuate a connection of a test probe to 
nodes within the SPU. Such an attack would likely trigger the Metallization Layer Detector 18, the Photo Detector 16. 
and running the altered circuit live under system power VDD 22 would likely trigger the Bus Monitoring Prevention (FIG. 

10 15). The same responses as given above would likely be appropriate as well. The actual act of de-encapsulation 
through grinding can create enough heat to trigger the Temperature Detector 17 as well as set off a vibration detector, 
and again, unless done in total darkness, exposure of the die would set off the Photo Detector 16. Disabling or even 
destroying the keys and secret data seem the most likely responses to such a scenario. 

75 V, Combinati on Attack 

[0137] Deprocessing is a sophisticated process, requiring first de-encapsulation and then placing the chip, under 
power, on an Ion probing station. Such a machine can actually detect voltage potentials at different pans of the chip, 
resolving the operational characteristics thereof. The probe cannot observe through a Metallization Layer; however, this 
20 would only serve to slow such a machine down. The machine can also be used to remove the Metallization Layer and 
thus uncover previously secure areas. The attacker might even try to reconnect any broken traces in the Metallization 
Layer before attempting to access secret information. 

[0138] This attack would be slowed by practically every SPU protective feature, trigger practically all the afbremen- 
tioned detectors, and could certainly be frustrated by any of the responses discussed and more. No guarantee of abso- 
25 lute security can ever be made, but as here the SPU. subject to the full range of defenses. wouW make an attack so 
costly in time and money, as to make the whole attenpt pointless for the types of applications contemplated. 

vi. User Fraud- 

30 [0139] The thrust of user fraud Is not to reverse engineer the SPU; that is chiefly the province of parties wishing to 
reproduce compatible or competing SPU products. The fraudulent user instead wishes to use products incorporating 
an existing SPU outside of its intended use. e.g., not paying, or being v^rtiolly undercharged, for information used 
through an information metering device, which is a likely fraud scenario. Thus, such a user may try simple operations 
such as trying to rollover the clock, or by resetting the device at various operational stages, a user might hope to inter- 
as fere with usage reporting or metering. Furthermore, also in the information metering context by trying to ovenwrite the 
RAM 8, after a large purchase, with the contents of the same RAM 8, from before the purchase, a user might hope to 
erase the traces of such transaction. 

[0140] The Power Block 13, with its powering up and down mechanisms, the Silicon Firewall 20. and the Software 
Attack Monitor (FIG. 17), give an attacker little opportunity for throwing the SPU into an unpredictable or unreliable state 
40 by inopportune resets, as discussed before. The protection of the ROLLOVER 34 signal and the clock cross-checks 
have also already been well described. 

[0141] In the information metering context, usage might be based on pre-set credit limits, that should the SPU unit 
fail, it would be presumed that the credit limit had completely used, and thus the metering functions would be disabled. 
The user could only overcome this presumption by physically turning over the unit to whatever sen/icing agent to prove 
4S it had not been tampered with, or by remote tnten-ogation via modem for instance, and thereafter have the sen^fcing 
agent would recertify the SPU device. 

e. Sample SPU Application. 

so [0142] Now that the architecture of the SPU. the nature of the detectors, the detection/filtering/response paradigm of 
POPS, and the nature of expected attacks have been discussed, it wouW be useful to proceed through a sample appli- 
cation w^ich illustrates the principles of the present invention. For this purpose, a modest application is postulated: the 
use of the SPU-equlpped PCMCIA card, an "access card", whose sole function is to provide digital cash. It thus oper- 
ates a simple debit-type card, programmed with a certain amount of money, and debited, through use of a PIN number 

55 in various transactions, until the entire programmed-in credit has been exhausted. 

[0143] The detection/filtering/response process for this access card is as shown in FIG. 20. It is by no means meant 
to be comprehensive, nor necessarily truly realistic, but simply illustrative of the application-specific demands placed 
upon programmable security. References herein may also be made to other figures or particular elements present in 
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FIG. 1 . The process starts 1 001 by determining whether any detector has been set off 1002. If not. the process loops 
back to 1002. preferably perfaming all the other tasks necessary to the application in the interim. 
[0144] If the Photo Detector 1 6 is set off 1 004. the next inquiry is whether such detection is sustained over a period 
of time 1034. F=or example, the access card may have been briefly passed through an X-ray machine at the airport 
Such exposure should be very short term. Thus. H the exposure is not sustained, the event should J"st be logged 1 042 
and the process returns, through connectors 1043. 1003 to step 1002 (all references to connectors will hencefbrth be 
dispensed with for the sake of clarity). If the exposure is sustained, the next inquiry is whether this detection is in con- 
junction with other detectors going off. This may be the hallmark of many of the attack scenanos discussed earlier If 
there is sustained photo detection in isolation, it is suspicious enough on its own that a prudent step might be to disaUe 
the access card until it is recertified by an appropriate agent 1 034. and thereafter the process loops back to step 1002 
until furttier action is taken. Combined witti otiier detectors going off. however. It might be best to disable the access 
card permanently 1 036. and tiie process would thus end ttiere 1 037. , ^ ^ ^- 

[01451 If ttie Temperature Detector 1 7 is set off 1 005. it may tinen be only necessary to ask whether it occurred m con- 
junction with ottier detectors going off 1030. This differs from ttie Photo Detector 17 scenario in that It Is more likely that 
an access card would be subject to high heat for innocuous reasons, as for example, ttie user leaving the access card 
on ttie car dashboaid all afternoon. Thus, the application woukl be more forgiving to mere sustained high temperature. 
In that case, the process may simply log ttie event 1042 and loop back to step 1002. Combined wHh ottier detectors 
going off. it may indeed be wise to disable ttie access card pernr«nently in step 1036. w .• 

[01461 H ttie Metallization Layer Detector 1 8 is set off 1 006. it would be hard to justify anything but a harsh policy to 
such an event, such as to disable ttie access card permanently 1036. An exception wouW be where ttie Metallization 
Uyer Detector 18 were of ttie LATN cell type (FIG. 13). which is so sensitive ttiat ottier detectors should be correlated 
to make sure tiiat a serious attack is Indeed being made on ttie access card. ^^^^ 
10147] H eittier tiie ROLLOVER 34 signal or the Ctodk Integrity Check (FIG. 14(a)) is triggered (steps 1008.1009 
respectively), it may be safe simply to ignore them 1 028 and loop back to step 1002. as tiiis simply is not a time-sensi- 

[0148] If ttie Power Integrity Check (FIG. 14(b)) is triggered 1 01 0. two situations are possible: (i) the error state: or (ii) 
the low-power state. In ttie error state, ttie contents of RAM 8 are no longer trustworthy, which merits that the access 
card be disabled permanentiy 1036. In the low-power state, tiie RAM 8 contents are still trustworthy, but the battery 
power may soon fail, which therefore merits a message to ttie user to ttie effect that if the credit is not soon ti«nsferred 
30 to another access card. R may be irreparably lost 1026. In the latter case, tiie process would again loop back to step 

[0149] If either the Bus Monitor (FIG. 15) or Trip Wire Input (FIG. 16) are triggered 1012. there appears little justifica- 
tion to do otiienwisetiian to disable the access card permanently 1036. .^^ . 
[0150] If ttie Software Attack Monitor (FIG. 17) is friggered 1014. a logical first step wouW be to determine rf ttie 

35 access card is still in the handshaking phase 1016. This would correspond, for example, to ttie access card being 
inserted into a card reader and various protocols attempted until a proper link is established between the card and ttie 
card reader. In ottier words, ttiis "handshaking" process should be excluded from serious security consideration. There- 
after, a particularly important command ttiat the access card should be focused upon is the proper PIN number being 
issued by the user. Thus, ttie first time an improper command is given wittiin ttie period of one transaction 1018. ttie 

40 process may simply log the event 1042. The second time an inproper command is received within ttie period of one 
transaction 1020, ttie access card may issue a message to the user warning them not to do it again 1024. after whi* 
the process would again loop back to step 1002. The ttiird time an improper command is received within the period at 
one transaction 1021 . ttie access card may be disabled until recertiffcation by an appropriate agent 1039; ottienwise. it 
should be disabled permanently 1036. ^.^^ . 

45 [0151] If none of ttie above detectors is ti-iggered. ttie process would loop back again to step 1002 to await further 

detected signals. . , . ... j. 

(01 52] Alttiough ttie invention has been described in detail with reference to its presentiy preferred embodiments, it 
will be understood by one of ordinary skill in ttie art ttiat various modifications can be made, witiiout departing from ttie 
spirit and ttie scope of the invention. Accordingly, it is not intended that ttie invention be limited except as by ttie 
so appended claims. 

Claims 

1. A secure cryptographic chip for processing and storing sensitive information, including messages received and 
ss generated by the chip and keys used to encrypt and decrypt ttie messages, and for securing ttie information 
against potential attacks, ttie chip comprising: 

(a) a ayptographic engine for performing cryptographic operations on messages using a first key: 
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(b) one or more detectors for detecting events characteristic of an attack; and 

(c) a plurality of potential responses to detected events, whereby sensitive information is unencrypted only on 
the chip, where it is secure from attack. 

5 

2. A chip according to claim 1 and including a programmable filter for correlating detected events with one or more 
operational factors and for selecting and invoking one or more responses based upon the correlation. 

3. A chip according to claim 1 , further comprising a key generator for generating a second key used by the crypto- 
10 graphic engine to perform cryptographic operatfons on the first key. 

4. A secure chip according to claim 1 and further comprising: 

(a) an internal system clock for synchronising functions performed on the chip; and 

IS 

(b) an external signal synchroniser for synchronising to the internal system dock all asynchronous external sig- 
nals received by the chip, 

whereby the chip cannot be placed in an unknown state due to the receipt of asynchronous external signals. 

so 

5. A secure chip according to claim 4 wherein the external signal synchronizer synchronises asynchronous external 
signals by accepting and using the signals only at selected times deterrnined by the internal system clock. 

6. A chip according to claim 1 and further comprising: 

(a) an internal bus for transferring Information among components of the chip: 

(b) an input/output port for transferring information between internal components of the chip and external 
devices: and 

30 

(c) a bus monitor for periodically comparing the contents of the input/output port before and after the transfer 
of information along the internal bus, 

whereby the chip can detect unauthorised rerouting, to the input/output port, of sensitive information transferred 
35 along the internal kxis. 

7. A chip according to daim 6 wherein the bus monitor compares the contents of the input/output port before and 
after: 

40 (a) a firs transfer of less than all of the sensitive information desired to be transferred along the internal bus; 

and 

(b) a second transfer of the remaining sensitive information, if no ctiange in the contents of the input/output port 
is detected following the first transfer, 

45 

whereby the chip can effectively prevent the unauthorised rerouting, to the input/output port, of sensitive informa- 
tion transferred along the internal bus. 

8. A chip according to claim 1 and further comprising: 

so 

(a) a real time dock controlled by an external dock crystal having a substantially consistent external dock cyde 
frequency; 

(b) an internal system clock for synchronising functions performed on the chip, the internal system dock cycle 
55 frequency within a predetermined range of accuracy; and 

(c) a dock integrity checking means for causing the chip to perform a reference operations requiring a prede- 
termined number of internal clock cycles elapsed per actual external dock cyde during the performance of the 
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reference operation, whether the number of elapsed actual external clock cycles lies within the range of 
expected external clock cycles, 

whereby the chip can detect unauthorised tampering with the external clock frequency. 

9. A chip according to daim 1 and further comprising: 

(a) a real time clock controlled by an external clock crystal having a substantially consistent ©eternal clock fre- 
quency, the real time clock having a counter for counting the number of elapsed external dock cycles: 

(b) a rollover detector for detecting whether the real time dock counter rdled over; and 

(c) a rdtover bit. set upon detecting that the real lime dock counter rolled over. 

whereby, if the rolling bH is set during an operatton not expeded to require a suffident number of exterrialclo* 
cydes to cause the counter to roll over, the chip will deled unauthorised tampering with the external dod^ fre- 
quency. 

10. A chip according to daim 1 and further comprising: 

(a) a rewritable memory for storing sensitive Infbnnation; 

(b) a power loss detector for detecting that the loss of both system and battery power is imminent: and 

(c) a VRT bit for indicating the sufficiency of system and battery power folkjwing the loadingof sersitivainfor- 
mation into the rewritable memory, the VRT bit being set upon the loading of the sensitive information into the 
rewritable memory and reset upon the detection of power loss. 

whereby the chip can deted the need to save the sensitive information prior to the adual loss of both system and 
t>attery power. 

11. A chip according to daim 10 and further comprising a rewritable memory modification detector for deteding rnodi- 
f icalion of the rewritable memory, whereby the chip can deted the need to reload the sensitive information into the 
rewritable memory. 

12. A chip according to daim 1 wherein the chip comprises: 

(a) a rewritable memory tor storing sensitive Information having a substantially constant value: 

(b) a memory inverter for periodically inverting the contents of each cefl of the rewritable memory: and 

(c) a memory state bit for indicating whether the contents of each cell o1 the rewritable memory are in their 
adual state, or in the inverted state. 

whereby the contents of the rewritable memory contain effedively no residual Indication of the constant value of the 
sensitive infonnation. 
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